Astrix Research Team Uncovers Credential Risk in the Majority of MCP Servers and Releases Open-Source Tool to Mitigate It

News provided by

Astrix Security

Oct 15, 2025, 08:37 ET

Astrix's new open-source tool, 'MCP Secret Wrapper', helps eliminate systemic credential risks in AI agent development, after research found that the majority of MCP servers rely on hard-coded credentials

NEW YORK, Oct. 15, 2025 /PRNewswire/ -- Researchers at Astrix Security, the leader in AI Agent security, today released the State of MCP Server Security 2025 research, highlighting a foundational security flaw in the adoption of Model Context Protocol (MCP) servers, the technology that enables AI agents to access tools, data, and systems. The research, which analyzed over 5,200 public repositories, reveals that while MCP server adoption is exploding to an estimated 20,000 implementations on GitHub, the ecosystem is being built on a dangerously insecure foundation: the widespread use of hardcoded, long-lived credentials.

Continue Reading
MCP Secret Wrapper.
MCP Secret Wrapper.

The State of MCP Server Security 2025 research reveals a consistent pattern of poor credential hygiene: while 88% of MCP servers require credentials, more than half (53%) still rely on static API keys or Personal Access Tokens (PATs), long-lived credentials that require continuous rotation to remain secure. Only 8.5% use OAuth, the preferred delegation framework, while 79% of API keys were found to be passed via simple environment variables. This pattern reflects a wider security issue highlighted in the latest Verizon Data Breach Investigations Report (DBIR), which identifies credential exposure as a leading cause of account compromise.

To mitigate systemic risks and help enterprises and developers secure MCP servers, Astrix has released the MCP Secret Wrapper, an open-source tool that fetches secrets from a vault at runtime to eliminate hard-coded credentials. The tool is available now on GitHub.

"MCP servers are fast becoming a backbone for AI agent development and deployment, but the way credentials are handled today is a ticking time bomb," said Tal Skverer, Research Team Lead at Astrix Security. "Our research shows that a systemic reliance on exposed, coarse-grained, long-lived credentials has become the de facto standard for agent integrations. This toxic combination of hard-coded credentials, which heightens the risk of credential leakage and overly permissive access usually granted to agents, significantly increases both the likelihood and the potential impact of an attack. Removing hard-coded credentials with the wrapper is a critical first step, but it's only one piece of the puzzle," continued Skverer. "It doesn't solve the problem of secrets being overly-permissive or long-lived."

Astrix security researchers also recommend organizations take immediate steps to:

  • Replace hard-coded credentials with credentials fetched at runtime, eliminating credentials in servers and endpoints.
  • Enforce least-privilege access for Non-Human Identities (NHIs).
  • Continuously monitor usage to detect anomalies in real-time.

Beyond the open-source MCP Secret Wrapper, Astrix enables organizations to become agentic-ready and scale their AI agent initiatives responsibly with Astrix's Agent Control Plane (ACP), the industry's first solution designed to deploy secure-by-design AI agents across the enterprise. With the ACP, every AI agent receives short-lived credentials and policy-defined access, enforcing least-privilege, conditional, and Just-In-Time (JIT) permissions to ensure organizations can safely accelerate productivity with AI.

Check out how the MCP Secret Wrapper works hereyoutu.be/xRE9SDetKic

About Astrix Security
Astrix secures the full lifecycle of AI agents and the Non-Human Identities (NHIs) that power them, extending traditional IAM to govern the modern AI attack surface. While agents and other NHIs outnumber humans 100:1, they remain under the radar, creating the biggest blindspot in our identity perimeter. Astrix provides a unified solution for the continuous discovery of all AI agents and NHIs, secure and remediate excessive privileges, real-time threats, and adoption of new agents responsibly with 'secure by design' guardrails like Agentic just-in-time access. Enabling our customers to responsibly adopt and accelerate productivity. Trusted by leading enterprises including Workday, NetApp, Priceline, Figma, Hubspot, Workato and many more.

Media Contact:
Kayla Armstrong
[email protected] 

SOURCE Astrix Security

WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?

icon3
440k+
Newsrooms &
Influencers
icon1
9k+
Digital Media
Outlets
icon2
270k+
Journalists
Opted In
GET STARTED

Also from this source

Astrix Security Announces the First AI Agent Control Plane (ACP) for Secure-by-Design Agent Deployment

Astrix Security Announces the First AI Agent Control Plane (ACP) for Secure-by-Design Agent Deployment

Astrix Security, the leader in AI Agent and Non-Human Identity (NHI) security, today announced the launch of the AI Agent Control Plane (ACP), the...
Astrix Security Joins Elite List of Startups Defining the Future of Cyber

Astrix Security Joins Elite List of Startups Defining the Future of Cyber

Astrix Security, the enterprise's trusted solution for securing non-human identities (NHIs), today announced its inclusion in Rising in Cyber 2025,...
More Releases From This Source

Explore

Artificial Intelligence

Artificial Intelligence

Data Analytics

Data Analytics

Data Analytics

Data Analytics

High Tech Security

High Tech Security

News Releases in Similar Topics